Social networking sites are ideal havens for online criminal activities as they provide a combination of two key factors: a huge number of users and a high-level of trust among these users, cautioned a security specialist.
Ronnie Ng, senior manager of systems engineering at Symantec Singapore, told ZDNet Asia in an e-mail that increased use of social networking sites for business purposes brings new security challenges to enterprises, which now need to strike a balance between managing assets and keeping up with the latest communication tools.
Attacks on social networking sites were "standard practice" for criminals in 2009, where the frequency and sophistication in attacks increased in the second half of last year, Ng said.
A recent survey by RSA showed that among users worldwide, Asians were most anxious of their security risk on social networking sites. Symantec also identified the proliferation of social networking sites as one of five security threats to watch for in 2010.
ZDNet Asia spoke to industry experts who highlight the top five security threats enterprises should be mindful about when using social networking sites.
"Social networking sites are vehicles for malicious attacks to spread malware," said Symantec's Ng, and cautioned against Tweets that point unsuspecting users to download malware.
He gave the example of fake Twitter invitations that have been used to spread a mass-mailing and malicious worm. Instead of pointing to an invitation link, the Tweet directs users to a malicious attachment that gathers e-mail addresses from compromised computers and spreads by copying itself into removable drives and shared folders.
In June 2009, the automated Twitter feed of author and venture capitalist, Guy Kawasaki, redistributed a malicious link to its followers.
In an e-mail interview with ZDNet Asia, Vincent Goh, managing director for RSA Southeast Asia added that wildfire infections will increase exponentially with social networking sites.
According to Goh, the leading infection methods are drive-by-download, which hijack legitimate Web sites or route visitors to infected servers, as well as social network infections, where spam is sent to a victim's "friends list" carrying links to infected servers.
He added that applications on social networking sites increase a hacker's surface attacks because most people would run applications on such sites without thinking twice. Malicious code could also be added to advertisements and banners, he noted.
Stefan Tanase, senior regional researcher for Eastern Europe, Middle East and Africa at Kaspersky Lab's global research and analysis team, said in an e-mail interview that enterprises with already compromised computers may post links distributing malware on their corporate accounts, putting customers at risk of being infected.
Ng said that previously spammers registered their own accounts and send unsolicited messages through the social networking site. The site would then send an e-mail notification to users about the new message. However, as the messages are sent to users from an unknown person so spammers are now using a newer technique.
According to Ng, Symantec has observed a rise in newer technique of social networking site abuse. A sender's account is hijacked and sends messages to everyone who is "connected" to the sender. When the receiver navigates to the message in the message, malware will try to load. "This example serves as a good reminder to all social networking site users that the message may not be from a friend, even if it is from a friend," said Ng.
3. Targeted attack through employees
Kaspersky Lab's Tanase said employees today are sharing too much information on social networking sites and hence, allowing themselves to become the point of breach for targeted attacks against the enterprise.
"All the personal information they share can be easily collected by someone with bad intentions and be used in sophisticated social engineering attacks," he said. "Usually, targeted attacks come with serious consequences, like intellectual property theft or corporate espionage."
RSA's Goh added that attackers use the trust factor typically associated with social networking sites to carry out social engineering attacks. "They could use these trusted networks to trick victims into sharing sensitive information or downloading malware like Trojans and worms," he said.
A recent report revealed that attackers had contacted key Google employees via social networks and imposed as their friends in a bid to urge them to on links that contained malware.
According to Symantec's Ng, cyber attackers are using social networking sites to launch attacks that aim to lure victims to a malicious and fake login page to obtain the user's personal login details.
"Phishing attackers send a message to a victim's Facebook inbox, as well as an e-mail notification with the subject 'Hello' or 'Hi'," he explained. "The e-mail appears to have come from the victim's friend and includes text asking the user to visit a malicious and fake Facebook login page, where the attacker will then steal the user's login credentials to launch future attacks."
Goh added that once an attacker breaks into a victim's account, it becomes easy to leverage the victim's social network and harvest information from other users. This information could be used for various cyber criminal activities, such as breaking into the users' online banking accounts or enterprise accounts.
5. Human error, leading to leaked corporate data
Tanase cautioned that some employees are also unwittingly posting confidential information about their job and company on social networks, believing this information to be safe.
"Such information about current projects, financial situation or future plans can prove to be invaluable for competitors," he added.
He also pointed out that a corporate social networking site account is usually managed by people with good communication skills, not IT skills.
"The lack of IT security education and strong [user] policies can lead to such an account being compromised, which will badly damage the image of the entire company," he said.
Prevention better than cure
Despite the security risks social networks can bring into a corporate environment, RSA's Goh noted that disabling access to such sites is not the best option as more and more businesses rely on these tools to support their daily operations.
Enterprises then need to make sure its employees are educated about security threats related to social networking sites, and implement a comprehensive access and data control strategy to prevent data loss, he said.
"If the enterprise can govern the access of information to only the right employees, loss of data by the attackers getting into the network could be minimized," he said. "That way, organizations can reap the benefits of social and business networking online, while keeping the fraudsters at bay."